Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

how to disable a VPN tunnel - Site-to-Site

Hello all!

I want to know how to make a VPN disable.

I have a VPN configured and working fine. But, I needed to create a second VPN for the same company, just for backup, so, in that case, I have a different peer.

That backup VPN, I want to configure it, but, Im looking for a way to make it disable. For example, we can disable an ACL, we can disable a NAT... How to disable a VPN?

The idea is, when I need to make backup works, I just make it Enable, something like this.

Thanks,


Diego

Everyone's tags (1)
9 REPLIES
Hall of Fame Super Silver

You can just add a secondary

You can just add a secondary peer address if all other parameters are the same. That way when the primary goes down, the VPN will automatically establish to the secondary with no manual intervention required. Something like:

crypto map VPNMAP 10 set peer 1.1.1.1 2.2.2.2

You will also need to have a tunnel-group for each peer with the same PSK set.

Community Member

Hi Marvin, thanks for help

Hi Marvin, thanks for help too!

I did not know about a secondary peer. I will insert the secondary in the respective crypto map. I will take a look about the tunnel-group!

But, if the protected traffic is different in the remote network, I cannot use it? Because in the Production the remote network is X and in the backup VPN, the remote network is Y.. so they are differents.

Hi Deigo,You can refer the

Hi Deigo,

You can refer the below mentioned post for the Site to site dual vpn.


http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

 

HTH

 

Regards

Karthik

Hall of Fame Super Silver

You're welcome.If there are

You're welcome.

If there are different subnets on each, you can't use it without some changes.

What you could do is just make the single access list / cryptomap include both sets of subnets. Whether or not that would suit would depend on how the applications and systems that use the network fail over.

Hi ,You can configure back

Hi ,

You can configure back VPN as suggested by Marvin. But for making the primary down you clear the vpn peer and do test once you have the backup tunnel ready.

 

Regards

Karthik

Community Member

Hi nkarthikeyan,Thanks for

Hi nkarthikeyan,

Thanks for help! I will try it and test!

Community Member

Hi Diego, I had a similar

Hi Diego,

 

I had a similar requirement and I was able to sort it out with some help, just go through this thread and let me know whether it helps...

https://supportforums.cisco.com/discussion/12219291/multiple-site-site-vpns-same-intersting-traffic-ha-vpn

 

Regards,

 

Bobby Thomas

Community Member

Thanks guys!With your help, I

Thanks guys!

With your help, I did a plan for it and I will test it next weekend!

I will post it on Monday!!

Thanks one more time!

 

Diego

Community Member

Hello Guys!I configured the

Hello Guys!

I configured the new tunnel, with the same PSK.

I edited the crypto map and inserted the new Peer Bkp.

I noticed that a new Connection Profile was created... so I entered to check and when I try to change inside the options, just to check, I received some messages that follow attached... Is it normal???

I changed the IPs for "Peer Prod" and "Peer Bkp" just for security.

The same message appears when I try to edit the Peer Prod Connection Profile as well.

Thanks!

Diego

564
Views
10
Helpful
9
Replies
CreatePlease to create content